This episode sponsored by Trail of Bits.On this week’s show we’ll chat with Troy Hunt of Have I Been Pwned. He’s released version two of his pwned password service and API. Basically it lets websites check to see if a user’s password is one that he has in his dataset. Version two allows this process to happen without users having to send over a complete password hash to HIBP.
It’s making some waves already. It’s a genuinely interesting, free service.
In this week’s sponsor interview we chat with Trail of Bits security engineer JP Smith about all thing blockchain. Trail of Bits has gotten into blockchain stuff because, hey, we’ve all heard about the many, many security issues associated with things like Ethereum smart contracts, and when it comes to blockchain and Ethereum security, well, someone has to do it.
JP will talk us through some of the bug classes he sees as well as talk about the work trail of bits has done on its dynamic binary analysis software Manticore in terms of applying it to the Etherum Virtual Machine.
Adam Boileau, as always, is this week’s news guest.
The show notes/links are below, and you can follow Adam or Patrick on Twitter if that’s your thing.
Show notes
- Cisco's Talos Intelligence Group Blog: Who Wasn’t Responsible for Olympic Destroyer?
- Winter Olympics hack shows how advanced groups can fake attribution
- Russia accused of “false flag” attack on Olympic opening | Ars Technica
- U.S. and U.K. blame Russia for infamous 'NotPetya' cyberattacks
- US grand jury indicts 13 Russian nationals for election meddling
- The Feds Can Now (Probably) Unlock Every iPhone Model In Existence
- Apple Tackles Cellebrite Unlock Claims, Sort Of | Threatpost | The first stop for security news
- Apple moves to store iCloud keys in China, raising human rights fears
- New SEC guidance: Please don't sell your stocks if you have insider info about a breach
- WhatsApp Co-Founder Brian Acton Injects $50 Million in Newly Formed Signal Foundation | WIRED
- SEC.gov | SEC Charges Former Bitcoin-Denominated Exchange and Operator With Fraud
- Kyle Torpey on Twitter: "The $10 Billion lawsuit against Craig Wright claims Wright used a computer-generated font called Otto to forge Dave Kleiman's signature and acquire hundreds of thousands of bitcoins. https://t.co/vFA6uowMZa"
- Australian 'bitcoin founder' Craig Wright accused of stealing billions of dollars worth of bitcoin
- Attorney General Sessions Announces New Cybersecurity Task Force | OPA | Department of Justice
- Jordan ⚡️ Eldredge on Twitter: "Holy moly. You can write a key logger in pure CSS. I wonder if @reddit custom themes would be vulnerable. https://t.co/yfxrLLhOvT https://t.co/WKsrBLCQv5"
- US Border Agents Didn't Verify Any e-Passports Since 2007 Because They Didn't Have the Software
- In-the-wild DDoSes use new way to achieve unthinkable sizes | Ars Technica
- One-stop counterfeit certificate shops for all your malware-signing needs | Ars Technica
- A Hacker Has Wiped a Spyware Company’s Servers—Again - Motherboard
- Hacker Returns $26 Million Worth of Ethereum Back to Hacked Company
- Josh Pitts on Twitter: "I found this interesting code signing bug in macOS. I took the 2011/2012 flashback malware and 'signed' it with a cert from Apple. VirusTotal and WhatsYourSign (@patrickwardle's @objective_see tool) both agree that it's signed by Apple. I have some bug reporting to do... 🤓 https://t.co/vMb9SVSf8a"
- Duo Finds SAML Vulnerabilities Affecting Multiple Implementations | Duo Security
- Flight Simulator Add-On Tried to Catch Pirates By Installing Password-Stealing Malware on Their Computers - Motherboard
- uTorrent vulnerabilities allow information disclosure and remote code execution
- People Are Blasting iOS 'Text Bombs' on Twitter to Crash iPhones - Motherboard
- Troy Hunt: I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download
- Cybersecurity Enforcers Wake Up to Unauthorized Computer Access Via Credential Stuffing – Big Law Business
- Automated bugfinding for the blockchain - YouTube
